localstack
diff --git a/‎localstack-core/localstack/services/sns/models.py
Lines changed: 9 additions & 2 deletions b/‎localstack-core/localstack/services/sns/models.py
Lines changed: 9 additions & 2 deletions
diff --git a/‎localstack-core/localstack/services/sns/provider.py
Lines changed: 12 additions & 4 deletions b/‎localstack-core/localstack/services/sns/provider.py
Lines changed: 12 additions & 4 deletions
diff --git a/‎localstack-core/localstack/services/sns/publisher.py
Lines changed: 15 additions & 8 deletions b/‎localstack-core/localstack/services/sns/publisher.py
Lines changed: 15 additions & 8 deletions
diff --git a/‎tests/aws/services/sns/conftest.py
Lines changed: 57 additions & 0 deletions b/‎tests/aws/services/sns/conftest.py
Lines changed: 57 additions & 0 deletions
diff --git a/‎tests/aws/services/sns/test_sns.py
Lines changed: 167 additions & 0 deletions b/‎tests/aws/services/sns/test_sns.py
Lines changed: 167 additions & 0 deletions
@@ -1,6 +1,7 @@
 import itertools
 import time
 from dataclasses import dataclass, field
+from enum import StrEnum
 from typing import Dict, List, Literal, Optional, TypedDict, Union
 
 from localstack.aws.api.sns import (
@@ -37,9 +38,15 @@ def get_next_sequence_number():
     return next(global_sns_message_sequence())
 
 
+class SnsMessageType(StrEnum):
+    Notification = "Notification"
+    SubscriptionConfirmation = "SubscriptionConfirmation"
+    UnsubscribeConfirmation = "UnsubscribeConfirmation"
+
+
 @dataclass
 class SnsMessage:
-    type: str
+    type: SnsMessageType
     message: Union[
         str, Dict
     ]  # can be Dict if after being JSON decoded for validation if structure is `json`
@@ -75,7 +82,7 @@ def message_content(self, protocol: SnsMessageProtocols) -> str:
     @classmethod
     def from_batch_entry(cls, entry: PublishBatchRequestEntry, is_fifo=False) -> "SnsMessage":
         return cls(
-            type="Notification",
+            type=SnsMessageType.Notification,
             message=entry["Message"],
             subject=entry.get("Subject"),
             message_structure=entry.get("MessageStructure"),
 
@@ -64,7 +64,13 @@
 from localstack.services.sns import usage
 from localstack.services.sns.certificate import SNS_SERVER_CERT
 from localstack.services.sns.filter import FilterPolicyValidator
-from localstack.services.sns.models import SnsMessage, SnsStore, SnsSubscription, sns_stores
+from localstack.services.sns.models import (
+    SnsMessage,
+    SnsMessageType,
+    SnsStore,
+    SnsSubscription,
+    sns_stores,
+)
 from localstack.services.sns.publisher import (
     PublishDispatcher,
     SnsBatchPublishContext,
@@ -429,9 +435,11 @@ def unsubscribe(
         if subscription["Protocol"] in ["http", "https"]:
             # TODO: actually validate this (re)subscribe behaviour somehow (localhost.run?)
             #  we might need to save the sub token in the store
+            # TODO: AWS only sends the UnsubscribeConfirmation if the call is unauthenticated or the requester is not
+            #  the owner
             subscription_token = encode_subscription_token_with_region(region=context.region)
             message_ctx = SnsMessage(
-                type="UnsubscribeConfirmation",
+                type=SnsMessageType.UnsubscribeConfirmation,
                 token=subscription_token,
                 message=f"You have chosen to deactivate subscription {subscription_arn}.\nTo cancel this operation and restore the subscription, visit the SubscribeURL included in this message.",
             )
@@ -604,7 +612,7 @@ def publish(
             store = self.get_store(account_id=context.account_id, region_name=context.region)
 
         message_ctx = SnsMessage(
-            type="Notification",
+            type=SnsMessageType.Notification,
             message=message,
             message_attributes=message_attributes,
             message_deduplication_id=message_deduplication_id,
@@ -763,7 +771,7 @@ def subscribe(
         # Send out confirmation message for HTTP(S), fix for https://github.com/localstack/localstack/issues/881
         if protocol in ["http", "https"]:
             message_ctx = SnsMessage(
-                type="SubscriptionConfirmation",
+                type=SnsMessageType.SubscriptionConfirmation,
                 token=subscription_token,
                 message=f"You have chosen to subscribe to the topic {topic_arn}.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
             )
 
@@ -26,6 +26,7 @@
 from localstack.services.sns.models import (
     SnsApplicationPlatforms,
     SnsMessage,
+    SnsMessageType,
     SnsStore,
     SnsSubscription,
 )
@@ -242,7 +243,7 @@ def prepare_message(
         message_attributes = prepare_message_attributes(message_context.message_attributes)
 
         event_payload = {
-            "Type": message_context.type or "Notification",
+            "Type": message_context.type or SnsMessageType.Notification,
             "MessageId": message_context.message_id,
             "Subject": message_context.subject,
             "TopicArn": subscriber["TopicArn"],
@@ -482,14 +483,14 @@ def _publish(self, context: SnsPublishContext, subscriber: SnsSubscription):
                 "x-amz-sns-message-id": message_context.message_id,
                 "x-amz-sns-topic-arn": subscriber["TopicArn"],
             }
-            if message_context.type != "SubscriptionConfirmation":
+            if message_context.type != SnsMessageType.SubscriptionConfirmation:
                 # while testing, never had those from AWS but the docs above states it should be there
                 message_headers["x-amz-sns-subscription-arn"] = subscriber["SubscriptionArn"]
 
                 # When raw message delivery is enabled, x-amz-sns-rawdelivery needs to be set to 'true'
                 # indicating that the message has been published without JSON formatting.
                 # https://docs.aws.amazon.com/sns/latest/dg/sns-large-payload-raw-message-delivery.html
-                if message_context.type == "Notification":
+                if message_context.type == SnsMessageType.Notification:
                     if is_raw_message_delivery(subscriber):
                         message_headers["x-amz-sns-rawdelivery"] = "true"
                     if content_type := self._get_content_type(subscriber, context.topic_attributes):
@@ -526,7 +527,7 @@ def _publish(self, context: SnsPublishContext, subscriber: SnsSubscription):
                 topic_attributes=context.topic_attributes,
             )
             # AWS doesn't send to the DLQ if there's an error trying to deliver a UnsubscribeConfirmation msg
-            if message_context.type != "UnsubscribeConfirmation":
+            if message_context.type != SnsMessageType.UnsubscribeConfirmation:
                 sns_error_to_dead_letter_queue(subscriber, message_body, str(exc))
 
     @staticmethod
@@ -922,9 +923,12 @@ def compute_canonical_string(message: dict, notification_type: str) -> str:
     See https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html
     """
     # create the canonical string
-    if notification_type == "Notification":
+    if notification_type == SnsMessageType.Notification:
         fields = ["Message", "MessageId", "Subject", "Timestamp", "TopicArn", "Type"]
-    elif notification_type in ("SubscriptionConfirmation", "UnsubscriptionConfirmation"):
+    elif notification_type in (
+        SnsMessageType.SubscriptionConfirmation,
+        SnsMessageType.UnsubscribeConfirmation,
+    ):
         fields = ["Message", "MessageId", "SubscribeURL", "Timestamp", "Token", "TopicArn", "Type"]
     else:
         return ""
@@ -968,11 +972,14 @@ def create_sns_message_body(
         "Timestamp": timestamp_millis(),
     }
 
-    if message_type == "Notification":
+    if message_type == SnsMessageType.Notification:
         unsubscribe_url = create_unsubscribe_url(external_url, subscriber["SubscriptionArn"])
         data["UnsubscribeURL"] = unsubscribe_url
 
-    elif message_type in ("UnsubscribeConfirmation", "SubscriptionConfirmation"):
+    elif message_type in (
+        SnsMessageType.SubscriptionConfirmation,
+        SnsMessageType.UnsubscribeConfirmation,
+    ):
         data["Token"] = message_context.token
         data["SubscribeURL"] = create_subscribe_url(
             external_url, subscriber["TopicArn"], message_context.token
 
@@ -0,0 +1,57 @@
+import pytest
+
+from localstack.utils.strings import short_uid
+
+LAMBDA_FN_SNS_ENDPOINT = """
+import boto3, json, os
+def handler(event, *args):
+    if "AWS_ENDPOINT_URL" in os.environ:
+        sqs_client = boto3.client("sqs", endpoint_url=os.environ["AWS_ENDPOINT_URL"])
+    else:
+        sqs_client = boto3.client("sqs")
+
+    queue_url = os.environ.get("SQS_QUEUE_URL")
+    message = {"event": event}
+    sqs_client.send_message(QueueUrl=queue_url, MessageBody=json.dumps(message), MessageGroupId="1")
+    return {"statusCode": 200}
+"""
+
+
+@pytest.fixture
+def create_sns_http_endpoint_and_queue(
+    aws_client, account_id, create_lambda_function, sqs_create_queue
+):
+    lambda_client = aws_client.lambda_
+
+    def _create_sns_http_endpoint():
+        function_name = f"lambda_fn_sns_endpoint-{short_uid()}"
+
+        # create SQS queue for results
+        queue_name = f"{function_name}.fifo"
+        queue_attrs = {"FifoQueue": "true", "ContentBasedDeduplication": "true"}
+        queue_url = sqs_create_queue(QueueName=queue_name, Attributes=queue_attrs)
+        aws_client.sqs.add_permission(
+            QueueUrl=queue_url,
+            Label=f"lambda-sqs-{short_uid()}",
+            AWSAccountIds=[account_id],
+            Actions=["SendMessage"],
+        )
+
+        create_lambda_function(
+            func_name=function_name,
+            handler_file=LAMBDA_FN_SNS_ENDPOINT,
+            envvars={"SQS_QUEUE_URL": queue_url},
+        )
+        create_url_response = lambda_client.create_function_url_config(
+            FunctionName=function_name, AuthType="NONE", InvokeMode="BUFFERED"
+        )
+        aws_client.lambda_.add_permission(
+            FunctionName=function_name,
+            StatementId="urlPermission",
+            Action="lambda:InvokeFunctionUrl",
+            Principal="*",
+            FunctionUrlAuthType="NONE",
+        )
+        return create_url_response["FunctionUrl"], queue_url
+
+    return _create_sns_http_endpoint
@@ -3921,6 +3921,173 @@ def _clean_headers(response_headers: dict):
             snapshot.match("http-message", payload)
             snapshot.match("http-message-headers", _clean_headers(notification_request.headers))
 
+    @markers.aws.validated
+    def test_subscribe_external_http_endpoint_lambda_url_sig_validation(
+        self,
+        create_sns_http_endpoint_and_queue,
+        sns_create_topic,
+        sns_subscription,
+        aws_client,
+        snapshot,
+        sqs_collect_messages,
+    ):
+        def _get_snapshot_from_lambda_url_msg(events: list[dict]) -> dict:
+            formatted_events = []
+
+            def _filter_headers(headers: dict) -> dict:
+                filtered_headers = {}
+                for key, value in headers.items():
+                    l_key = key.lower()
+                    if l_key.startswith("x-amz-sns") or key in (
+                        "content-type",
+                        "accept-encoding",
+                        "user-agent",
+                    ):
+                        filtered_headers[key] = value
+
+                return filtered_headers
+
+            for event in events:
+                msg = json.loads(event["Body"])["event"]
+                formatted_events.append(
+                    {"headers": _filter_headers(msg["headers"]), "body": json.loads(msg["body"])}
+                )
+
+            return {"events": formatted_events}
+
+        def validate_message_signature(msg_event: dict, msg_type: str):
+            cert_url = msg_event["SigningCertURL"]
+            get_cert_req = requests.get(cert_url)
+            assert get_cert_req.ok
+
+            cert = x509.load_pem_x509_certificate(get_cert_req.content)
+            message_signature = msg_event["Signature"]
+            # create the canonical string
+            if msg_type == "Notification":
+                fields = ["Message", "MessageId", "Subject", "Timestamp", "TopicArn", "Type"]
+            else:
+                fields = [
+                    "Message",
+                    "MessageId",
+                    "SubscribeURL",
+                    "Timestamp",
+                    "Token",
+                    "TopicArn",
+                    "Type",
+                ]
+
+            # Build the string to be signed.
+            string_to_sign = "".join(
+                [f"{field}\n{msg_event[field]}\n" for field in fields if field in msg_event]
+            )
+
+            # decode the signature from base64.
+            decoded_signature = base64.b64decode(message_signature)
+
+            message_sig_version = msg_event["SignatureVersion"]
+            # this is a bug on AWS side, assert our behaviour is the same for now, this might get fixed
+            assert message_sig_version == "1"
+            signature_hash = hashes.SHA1() if message_sig_version == "1" else hashes.SHA256()
+
+            # calculate signature value with cert
+            # if the signature is invalid, this will raise an exception
+            cert.public_key().verify(
+                decoded_signature,
+                to_bytes(string_to_sign),
+                padding=padding.PKCS1v15(),
+                algorithm=signature_hash,
+            )
+
+        snapshot.add_transformer(
+            [
+                snapshot.transform.key_value("RequestId"),
+                snapshot.transform.key_value("Token"),
+                snapshot.transform.key_value("Host"),
+                snapshot.transform.regex(
+                    r"(?i)(?<=SubscribeURL[\"|']:\s[\"|'])(https?.*?)(?=/\?Action=ConfirmSubscription)",
+                    replacement="<subscribe-domain>",
+                ),
+            ]
+        )
+        http_endpoint_url, queue_url = create_sns_http_endpoint_and_queue()
+        topic_arn = sns_create_topic()["TopicArn"]
+        sns_protocol = http_endpoint_url.split("://")[0]
+        subscription = sns_subscription(
+            TopicArn=topic_arn, Protocol=sns_protocol, Endpoint=http_endpoint_url
+        )
+        subscription_arn = subscription["SubscriptionArn"]
+        delivery_policy = {
+            "healthyRetryPolicy": {
+                "minDelayTarget": 1,
+                "maxDelayTarget": 1,
+                "numRetries": 0,
+                "numNoDelayRetries": 0,
+                "numMinDelayRetries": 0,
+                "numMaxDelayRetries": 0,
+                "backoffFunction": "linear",
+            },
+            "sicklyRetryPolicy": None,
+            "throttlePolicy": {"maxReceivesPerSecond": 1000},
+            "guaranteed": False,
+        }
+        aws_client.sns.set_subscription_attributes(
+            SubscriptionArn=subscription_arn,
+            AttributeName="DeliveryPolicy",
+            AttributeValue=json.dumps(delivery_policy),
+        )
+
+        messages = sqs_collect_messages(queue_url, expected=1, timeout=10)
+        subscribe_event = _get_snapshot_from_lambda_url_msg(messages)
+        snapshot.match("subscription-confirmation", subscribe_event)
+
+        subscribe_payload = subscribe_event["events"][0]["body"]
+
+        validate_message_signature(
+            subscribe_payload,
+            msg_type=subscribe_event["events"][0]["headers"]["x-amz-sns-message-type"],
+        )
+
+        token = subscribe_payload["Token"]
+        subscribe_url = subscribe_payload["SubscribeURL"]
+        service_url, subscribe_url_path = subscribe_url.rsplit("/", maxsplit=1)
+        # we manually assert here to be sure the format is right, as it hard to verify with snapshots
+        assert subscribe_url == (
+            f"{service_url}/?Action=ConfirmSubscription&TopicArn={topic_arn}&Token={token}"
+        )
+
+        confirm_subscription = aws_client.sns.confirm_subscription(TopicArn=topic_arn, Token=token)
+        snapshot.match("confirm-subscription", confirm_subscription)
+
+        subscription_attributes = aws_client.sns.get_subscription_attributes(
+            SubscriptionArn=subscription_arn
+        )
+        assert subscription_attributes["Attributes"]["PendingConfirmation"] == "false"
+
+        message = "test_external_http_endpoint"
+        aws_client.sns.publish(TopicArn=topic_arn, Message=message)
+
+        messages = sqs_collect_messages(queue_url, expected=1, timeout=10)
+        publish_event = _get_snapshot_from_lambda_url_msg(messages)
+        snapshot.match("publish-event", publish_event)
+        publish_payload = publish_event["events"][0]["body"]
+        validate_message_signature(
+            publish_payload,
+            msg_type=publish_event["events"][0]["headers"]["x-amz-sns-message-type"],
+        )
+
+        unsub_request = requests.get(publish_payload["UnsubscribeURL"])
+        assert b"UnsubscribeResponse" in unsub_request.content
+
+        messages = sqs_collect_messages(queue_url, expected=1, timeout=10)
+        unsubscribe_event = _get_snapshot_from_lambda_url_msg(messages)
+        snapshot.match("unsubscribe-event", unsubscribe_event)
+
+        unsubscribe_payload = unsubscribe_event["events"][0]["body"]
+        validate_message_signature(
+            unsubscribe_payload,
+            msg_type=unsubscribe_event["events"][0]["headers"]["x-amz-sns-message-type"],
+        )
+
 
 class TestSNSSubscriptionFirehose:
     @markers.aws.validated